diff --git a/common/api/generated/index.ts b/common/api/generated/index.ts index 92a3224ca..048e6fe39 100644 --- a/common/api/generated/index.ts +++ b/common/api/generated/index.ts @@ -54,7 +54,6 @@ export { putApiV1BetaSecretsDefaultKeysByKey, } from './sdk.gen' export type { - AuthTokenValidatorConfig, ClientOptions, DeleteApiV1BetaClientsByNameData, DeleteApiV1BetaClientsByNameError, @@ -193,6 +192,11 @@ export type { GithubComStacklokToolhivePkgAuthserverOidcUpstreamRunConfig, GithubComStacklokToolhivePkgAuthserverRunConfig, GithubComStacklokToolhivePkgAuthserverSigningKeyRunConfig, + GithubComStacklokToolhivePkgAuthserverStorageAclUserRunConfig, + GithubComStacklokToolhivePkgAuthserverStorageRedisRunConfig, + GithubComStacklokToolhivePkgAuthserverStorageRedisTlsRunConfig, + GithubComStacklokToolhivePkgAuthserverStorageRunConfig, + GithubComStacklokToolhivePkgAuthserverStorageSentinelRunConfig, GithubComStacklokToolhivePkgAuthserverTokenLifespanRunConfig, GithubComStacklokToolhivePkgAuthserverTokenResponseMappingRunConfig, GithubComStacklokToolhivePkgAuthserverUpstreamProviderType, @@ -200,14 +204,17 @@ export type { GithubComStacklokToolhivePkgAuthserverUserInfoFieldMappingRunConfig, GithubComStacklokToolhivePkgAuthserverUserInfoRunConfig, GithubComStacklokToolhivePkgAuthTokenexchangeConfig, + GithubComStacklokToolhivePkgAuthTokenValidatorConfig, GithubComStacklokToolhivePkgAuthUpstreamswapConfig, GithubComStacklokToolhivePkgAuthzConfig, GithubComStacklokToolhivePkgClientClientApp, GithubComStacklokToolhivePkgClientClientAppStatus, GithubComStacklokToolhivePkgClientRegisteredClient, + GithubComStacklokToolhivePkgContainerRuntimeWorkloadStatus, GithubComStacklokToolhivePkgContainerTemplatesRuntimeConfig, GithubComStacklokToolhivePkgCoreWorkload, GithubComStacklokToolhivePkgGroupsGroup, + GithubComStacklokToolhivePkgIgnoreConfig, GithubComStacklokToolhivePkgRegistryOAuthPublicConfig, GithubComStacklokToolhivePkgRunnerHeaderForwardConfig, GithubComStacklokToolhivePkgRunnerRunConfig, @@ -224,10 +231,12 @@ export type { GithubComStacklokToolhivePkgSkillsSkillMetadata, GithubComStacklokToolhivePkgSkillsValidationResult, GithubComStacklokToolhivePkgTelemetryConfig, + GithubComStacklokToolhivePkgTransportTypesMiddlewareConfig, + GithubComStacklokToolhivePkgTransportTypesProxyMode, + GithubComStacklokToolhivePkgTransportTypesTransportType, GithubComStacklokToolhivePkgWebhookConfig, GithubComStacklokToolhivePkgWebhookFailurePolicy, GithubComStacklokToolhivePkgWebhookTlsConfig, - IgnoreConfig, PermissionsInboundNetworkPermissions, PermissionsNetworkPermissions, PermissionsOutboundNetworkPermissions, @@ -393,10 +402,4 @@ export type { RegistryProvenance, RegistryRemoteServerMetadata, RegistryVerifiedAttestation, - StorageAclUserRunConfig, - StorageRedisRunConfig, - StorageRedisTlsRunConfig, - StorageRunConfig, - StorageSentinelRunConfig, - TypesMiddlewareConfig, } from './types.gen' diff --git a/common/api/generated/types.gen.ts b/common/api/generated/types.gen.ts index 0560d669b..4594a0ed0 100644 --- a/common/api/generated/types.gen.ts +++ b/common/api/generated/types.gen.ts @@ -4,63 +4,6 @@ export type ClientOptions = { baseUrl: `${string}://${string}` | (string & {}) } -/** - * DEPRECATED: Middleware configuration. - * OIDCConfig contains OIDC configuration - */ -export type AuthTokenValidatorConfig = { - /** - * AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses - */ - allowPrivateIP?: boolean - /** - * Audience is the expected audience for the token - */ - audience?: string - /** - * AuthTokenFile is the path to file containing bearer token for authentication - */ - authTokenFile?: string - /** - * CACertPath is the path to the CA certificate bundle for HTTPS requests - */ - cacertPath?: string - /** - * ClientID is the OIDC client ID - */ - clientID?: string - /** - * ClientSecret is the optional OIDC client secret for introspection - */ - clientSecret?: string - /** - * InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing - * WARNING: This is insecure and should NEVER be used in production - */ - insecureAllowHTTP?: boolean - /** - * IntrospectionURL is the optional introspection endpoint for validating tokens - */ - introspectionURL?: string - /** - * Issuer is the OIDC issuer URL (e.g., https://accounts.google.com) - */ - issuer?: string - /** - * JWKSURL is the URL to fetch the JWKS from - */ - jwksurl?: string - /** - * ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728) - */ - resourceURL?: string - /** - * Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728) - * If empty, defaults to ["openid"] - */ - scopes?: Array -} - /** * Full registry data */ @@ -145,6 +88,63 @@ export type GithubComStacklokToolhivePkgAuditConfig = { maxDataSize?: number } +/** + * DEPRECATED: Middleware configuration. + * OIDCConfig contains OIDC configuration + */ +export type GithubComStacklokToolhivePkgAuthTokenValidatorConfig = { + /** + * AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses + */ + allowPrivateIP?: boolean + /** + * Audience is the expected audience for the token + */ + audience?: string + /** + * AuthTokenFile is the path to file containing bearer token for authentication + */ + authTokenFile?: string + /** + * CACertPath is the path to the CA certificate bundle for HTTPS requests + */ + cacertPath?: string + /** + * ClientID is the OIDC client ID + */ + clientID?: string + /** + * ClientSecret is the optional OIDC client secret for introspection + */ + clientSecret?: string + /** + * InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing + * WARNING: This is insecure and should NEVER be used in production + */ + insecureAllowHTTP?: boolean + /** + * IntrospectionURL is the optional introspection endpoint for validating tokens + */ + introspectionURL?: string + /** + * Issuer is the OIDC issuer URL (e.g., https://accounts.google.com) + */ + issuer?: string + /** + * JWKSURL is the URL to fetch the JWKS from + */ + jwksurl?: string + /** + * ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728) + */ + resourceURL?: string + /** + * Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728) + * If empty, defaults to ["openid"] + */ + scopes?: Array +} + /** * AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services */ @@ -450,7 +450,7 @@ export type GithubComStacklokToolhivePkgAuthserverRunConfig = { */ scopes_supported?: Array signing_key_config?: GithubComStacklokToolhivePkgAuthserverSigningKeyRunConfig - storage?: StorageRunConfig + storage?: GithubComStacklokToolhivePkgAuthserverStorageRunConfig token_lifespans?: GithubComStacklokToolhivePkgAuthserverTokenLifespanRunConfig /** * Upstreams configures connections to upstream Identity Providers. @@ -599,6 +599,95 @@ export type GithubComStacklokToolhivePkgAuthserverUserInfoRunConfig = { http_method?: string } +/** + * ACLUserConfig contains ACL user authentication configuration. + */ +export type GithubComStacklokToolhivePkgAuthserverStorageAclUserRunConfig = { + /** + * PasswordEnvVar is the environment variable containing the Redis password. + */ + password_env_var?: string + /** + * UsernameEnvVar is the environment variable containing the Redis username. + */ + username_env_var?: string +} + +/** + * RedisConfig is the Redis-specific configuration when Type is "redis". + */ +export type GithubComStacklokToolhivePkgAuthserverStorageRedisRunConfig = { + acl_user_config?: GithubComStacklokToolhivePkgAuthserverStorageAclUserRunConfig + /** + * AuthType must be "aclUser" - only ACL user authentication is supported. + */ + auth_type?: string + /** + * DialTimeout is the timeout for establishing connections (e.g., "5s"). + */ + dial_timeout?: string + /** + * KeyPrefix for multi-tenancy, typically "thv:auth:{ns}:{name}:". + */ + key_prefix?: string + /** + * ReadTimeout is the timeout for read operations (e.g., "3s"). + */ + read_timeout?: string + sentinel_config?: GithubComStacklokToolhivePkgAuthserverStorageSentinelRunConfig + sentinel_tls?: GithubComStacklokToolhivePkgAuthserverStorageRedisTlsRunConfig + tls?: GithubComStacklokToolhivePkgAuthserverStorageRedisTlsRunConfig + /** + * WriteTimeout is the timeout for write operations (e.g., "3s"). + */ + write_timeout?: string +} + +/** + * SentinelTLS configures TLS for Sentinel connections. + * Falls back to TLS config when nil. + */ +export type GithubComStacklokToolhivePkgAuthserverStorageRedisTlsRunConfig = { + /** + * CACertFile is the path to a PEM-encoded CA certificate file. + */ + ca_cert_file?: string + /** + * InsecureSkipVerify skips certificate verification. + */ + insecure_skip_verify?: boolean +} + +/** + * Storage configures the storage backend for the auth server. + * If nil, defaults to in-memory storage. + */ +export type GithubComStacklokToolhivePkgAuthserverStorageRunConfig = { + redis_config?: GithubComStacklokToolhivePkgAuthserverStorageRedisRunConfig + /** + * Type specifies the storage backend type. Defaults to "memory". + */ + type?: string +} + +/** + * SentinelConfig contains Sentinel-specific configuration. + */ +export type GithubComStacklokToolhivePkgAuthserverStorageSentinelRunConfig = { + /** + * DB is the Redis database number (default: 0). + */ + db?: number + /** + * MasterName is the name of the Redis Sentinel master. + */ + master_name?: string + /** + * SentinelAddrs is the list of Sentinel addresses (host:port). + */ + sentinel_addrs?: Array +} + /** * DEPRECATED: Middleware configuration. * AuthzConfig contains the authorization configuration @@ -661,6 +750,38 @@ export type GithubComStacklokToolhivePkgClientRegisteredClient = { name?: GithubComStacklokToolhivePkgClientClientApp } +/** + * Current status of the workload + */ +export type GithubComStacklokToolhivePkgContainerRuntimeWorkloadStatus = + | 'running' + | 'stopped' + | 'error' + | 'starting' + | 'stopping' + | 'unhealthy' + | 'removing' + | 'unknown' + | 'unauthenticated' + | 'running' + | 'stopped' + | 'error' + | 'starting' + | 'stopping' + | 'unhealthy' + | 'removing' + | 'unknown' + | 'unauthenticated' + | 'running' + | 'stopped' + | 'error' + | 'starting' + | 'stopping' + | 'unhealthy' + | 'removing' + | 'unknown' + | 'unauthenticated' + /** * RuntimeConfig allows overriding the default runtime configuration * for this specific workload (base images and packages) @@ -724,19 +845,7 @@ export type GithubComStacklokToolhivePkgCoreWorkload = { * StartedAt is when the container was last started (changes on restart) */ started_at?: string - /** - * Status is the current status of the workload. - */ - status?: - | 'running' - | 'stopped' - | 'error' - | 'starting' - | 'stopping' - | 'unhealthy' - | 'removing' - | 'unknown' - | 'unauthenticated' + status?: GithubComStacklokToolhivePkgContainerRuntimeWorkloadStatus /** * StatusContext provides additional context about the workload's status. * The exact meaning is determined by the status and the underlying runtime. @@ -746,10 +855,7 @@ export type GithubComStacklokToolhivePkgCoreWorkload = { * ToolsFilter is the filter on tools applied to the workload. */ tools?: Array - /** - * TransportType is the type of transport used for this workload. - */ - transport_type?: 'stdio' | 'sse' | 'streamable-http' | 'inspector' + transport_type?: GithubComStacklokToolhivePkgTransportTypesTransportType /** * URL is the URL of the workload exposed by the ToolHive proxy. */ @@ -762,6 +868,20 @@ export type GithubComStacklokToolhivePkgGroupsGroup = { skills?: Array } +/** + * IgnoreConfig contains configuration for ignore processing + */ +export type GithubComStacklokToolhivePkgIgnoreConfig = { + /** + * Whether to load global ignore patterns + */ + loadGlobal?: boolean + /** + * Whether to print resolved overlay paths for debugging + */ + printOverlays?: boolean +} + /** * AuthConfig contains the non-secret OAuth configuration when auth is configured. * Nil when auth_status is "none". @@ -865,7 +985,7 @@ export type GithubComStacklokToolhivePkgRunnerRunConfig = { * Host is the host for the HTTP proxy */ host?: string - ignore_config?: IgnoreConfig + ignore_config?: GithubComStacklokToolhivePkgIgnoreConfig /** * Image is the Docker image to run */ @@ -888,12 +1008,12 @@ export type GithubComStacklokToolhivePkgRunnerRunConfig = { * MiddlewareConfigs contains the list of middleware to apply to the transport * and the configuration for each middleware. */ - middleware_configs?: Array + middleware_configs?: Array /** * Name is the name of the MCP server */ name?: string - oidc_config?: AuthTokenValidatorConfig + oidc_config?: GithubComStacklokToolhivePkgAuthTokenValidatorConfig /** * PermissionProfileNameOrPath is the name or path of the permission profile */ @@ -902,11 +1022,7 @@ export type GithubComStacklokToolhivePkgRunnerRunConfig = { * Port is the port for the HTTP proxy to listen on (host port) */ port?: number - /** - * ProxyMode is the proxy mode for stdio transport ("sse" or "streamable-http") - * Note: "sse" is deprecated; use "streamable-http" instead. - */ - proxy_mode?: 'sse' | 'streamable-http' + proxy_mode?: GithubComStacklokToolhivePkgTransportTypesProxyMode /** * Publish lists ports to publish to the host in format "hostPort:containerPort" */ @@ -954,10 +1070,7 @@ export type GithubComStacklokToolhivePkgRunnerRunConfig = { tools_override?: { [key: string]: GithubComStacklokToolhivePkgRunnerToolOverride } - /** - * Transport is the transport mode (stdio, sse, or streamable-http) - */ - transport?: 'stdio' | 'sse' | 'streamable-http' | 'inspector' + transport?: GithubComStacklokToolhivePkgTransportTypesTransportType /** * TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies */ @@ -1242,6 +1355,49 @@ export type GithubComStacklokToolhivePkgTelemetryConfig = { useLegacyAttributes?: boolean } +export type GithubComStacklokToolhivePkgTransportTypesMiddlewareConfig = { + /** + * Parameters is a JSON object containing the middleware parameters. + * It is stored as a raw message to allow flexible parameter types. + */ + parameters?: { + [key: string]: unknown + } + /** + * Type is a string representing the middleware type. + */ + type?: string +} + +/** + * ProxyMode is the effective HTTP protocol the proxy uses. + * For stdio transports, this is the configured mode (sse or streamable-http). + * For direct transports (sse/streamable-http), this matches the transport type. + * Note: "sse" is deprecated; use "streamable-http" instead. + */ +export type GithubComStacklokToolhivePkgTransportTypesProxyMode = + | 'sse' + | 'streamable-http' + | 'sse' + | 'streamable-http' + +/** + * Transport is the transport mode (stdio, sse, or streamable-http) + */ +export type GithubComStacklokToolhivePkgTransportTypesTransportType = + | 'stdio' + | 'sse' + | 'streamable-http' + | 'inspector' + | 'stdio' + | 'sse' + | 'streamable-http' + | 'inspector' + | 'stdio' + | 'sse' + | 'streamable-http' + | 'inspector' + export type GithubComStacklokToolhivePkgWebhookConfig = { failure_policy?: GithubComStacklokToolhivePkgWebhookFailurePolicy /** @@ -1291,20 +1447,6 @@ export type GithubComStacklokToolhivePkgWebhookTlsConfig = { insecure_skip_verify?: boolean } -/** - * IgnoreConfig contains configuration for ignore processing - */ -export type IgnoreConfig = { - /** - * Whether to load global ignore patterns - */ - loadGlobal?: boolean - /** - * Whether to print resolved overlay paths for debugging - */ - printOverlays?: boolean -} - /** * Inbound defines inbound network permissions */ @@ -2164,19 +2306,7 @@ export type PkgApiV1WorkloadListResponse = { * Response containing workload status information */ export type PkgApiV1WorkloadStatusResponse = { - /** - * Current status of the workload - */ - status?: - | 'running' - | 'stopped' - | 'error' - | 'starting' - | 'stopping' - | 'unhealthy' - | 'removing' - | 'unknown' - | 'unauthenticated' + status?: GithubComStacklokToolhivePkgContainerRuntimeWorkloadStatus } export type RegistryEnvVar = { @@ -2544,109 +2674,6 @@ export type RegistryVerifiedAttestation = { predicate_type?: string } -/** - * ACLUserConfig contains ACL user authentication configuration. - */ -export type StorageAclUserRunConfig = { - /** - * PasswordEnvVar is the environment variable containing the Redis password. - */ - password_env_var?: string - /** - * UsernameEnvVar is the environment variable containing the Redis username. - */ - username_env_var?: string -} - -/** - * RedisConfig is the Redis-specific configuration when Type is "redis". - */ -export type StorageRedisRunConfig = { - acl_user_config?: StorageAclUserRunConfig - /** - * AuthType must be "aclUser" - only ACL user authentication is supported. - */ - auth_type?: string - /** - * DialTimeout is the timeout for establishing connections (e.g., "5s"). - */ - dial_timeout?: string - /** - * KeyPrefix for multi-tenancy, typically "thv:auth:{ns}:{name}:". - */ - key_prefix?: string - /** - * ReadTimeout is the timeout for read operations (e.g., "3s"). - */ - read_timeout?: string - sentinel_config?: StorageSentinelRunConfig - sentinel_tls?: StorageRedisTlsRunConfig - tls?: StorageRedisTlsRunConfig - /** - * WriteTimeout is the timeout for write operations (e.g., "3s"). - */ - write_timeout?: string -} - -/** - * SentinelTLS configures TLS for Sentinel connections. - * Falls back to TLS config when nil. - */ -export type StorageRedisTlsRunConfig = { - /** - * CACertFile is the path to a PEM-encoded CA certificate file. - */ - ca_cert_file?: string - /** - * InsecureSkipVerify skips certificate verification. - */ - insecure_skip_verify?: boolean -} - -/** - * Storage configures the storage backend for the auth server. - * If nil, defaults to in-memory storage. - */ -export type StorageRunConfig = { - redis_config?: StorageRedisRunConfig - /** - * Type specifies the storage backend type. Defaults to "memory". - */ - type?: string -} - -/** - * SentinelConfig contains Sentinel-specific configuration. - */ -export type StorageSentinelRunConfig = { - /** - * DB is the Redis database number (default: 0). - */ - db?: number - /** - * MasterName is the name of the Redis Sentinel master. - */ - master_name?: string - /** - * SentinelAddrs is the list of Sentinel addresses (host:port). - */ - sentinel_addrs?: Array -} - -export type TypesMiddlewareConfig = { - /** - * Parameters is a JSON object containing the middleware parameters. - * It is stored as a raw message to allow flexible parameter types. - */ - parameters?: { - [key: string]: unknown - } - /** - * Type is a string representing the middleware type. - */ - type?: string -} - export type GetApiOpenapiJsonData = { body?: never path?: never diff --git a/common/api/openapi.json b/common/api/openapi.json index a7cfb959c..623902375 100644 --- a/common/api/openapi.json +++ b/common/api/openapi.json @@ -1,63 +1,6 @@ { "components": { "schemas": { - "auth.TokenValidatorConfig": { - "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", - "properties": { - "allowPrivateIP": { - "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", - "type": "boolean" - }, - "audience": { - "description": "Audience is the expected audience for the token", - "type": "string" - }, - "authTokenFile": { - "description": "AuthTokenFile is the path to file containing bearer token for authentication", - "type": "string" - }, - "cacertPath": { - "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", - "type": "string" - }, - "clientID": { - "description": "ClientID is the OIDC client ID", - "type": "string" - }, - "clientSecret": { - "description": "ClientSecret is the optional OIDC client secret for introspection", - "type": "string" - }, - "insecureAllowHTTP": { - "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", - "type": "boolean" - }, - "introspectionURL": { - "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", - "type": "string" - }, - "issuer": { - "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", - "type": "string" - }, - "jwksurl": { - "description": "JWKSURL is the URL to fetch the JWKS from", - "type": "string" - }, - "resourceURL": { - "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive-core_registry_types.Registry": { "description": "Full registry data", "properties": { @@ -140,6 +83,63 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig": { + "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", + "properties": { + "allowPrivateIP": { + "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", + "type": "boolean" + }, + "audience": { + "description": "Audience is the expected audience for the token", + "type": "string" + }, + "authTokenFile": { + "description": "AuthTokenFile is the path to file containing bearer token for authentication", + "type": "string" + }, + "cacertPath": { + "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", + "type": "string" + }, + "clientID": { + "description": "ClientID is the OIDC client ID", + "type": "string" + }, + "clientSecret": { + "description": "ClientSecret is the optional OIDC client secret for introspection", + "type": "string" + }, + "insecureAllowHTTP": { + "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", + "type": "boolean" + }, + "introspectionURL": { + "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", + "type": "string" + }, + "issuer": { + "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", + "type": "string" + }, + "jwksurl": { + "description": "JWKSURL is the URL to fetch the JWKS from", + "type": "string" + }, + "resourceURL": { + "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_auth_awssts.Config": { "description": "AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services", "properties": { @@ -468,7 +468,7 @@ "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig" }, "storage": { - "$ref": "#/components/schemas/storage.RunConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig" }, "token_lifespans": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig" @@ -627,6 +627,107 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig": { + "description": "ACLUserConfig contains ACL user authentication configuration.", + "properties": { + "password_env_var": { + "description": "PasswordEnvVar is the environment variable containing the Redis password.", + "type": "string" + }, + "username_env_var": { + "description": "UsernameEnvVar is the environment variable containing the Redis username.", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig": { + "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", + "properties": { + "acl_user_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig" + }, + "auth_type": { + "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", + "type": "string" + }, + "dial_timeout": { + "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", + "type": "string" + }, + "key_prefix": { + "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", + "type": "string" + }, + "read_timeout": { + "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", + "type": "string" + }, + "sentinel_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig" + }, + "sentinel_tls": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" + }, + "tls": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" + }, + "write_timeout": { + "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig": { + "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", + "properties": { + "ca_cert_file": { + "description": "CACertFile is the path to a PEM-encoded CA certificate file.", + "type": "string" + }, + "insecure_skip_verify": { + "description": "InsecureSkipVerify skips certificate verification.", + "type": "boolean" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig": { + "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", + "properties": { + "redis_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig" + }, + "type": { + "description": "Type specifies the storage backend type. Defaults to \"memory\".", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig": { + "description": "SentinelConfig contains Sentinel-specific configuration.", + "properties": { + "db": { + "description": "DB is the Redis database number (default: 0).", + "type": "integer" + }, + "master_name": { + "description": "MasterName is the name of the Redis Sentinel master.", + "type": "string" + }, + "sentinel_addrs": { + "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_authz.Config": { "description": "DEPRECATED: Middleware configuration.\nAuthzConfig contains the authorization configuration", "properties": { @@ -730,6 +831,50 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus": { + "description": "Current status of the workload", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated", + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated", + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string", + "x-enum-varnames": [ + "WorkloadStatusRunning", + "WorkloadStatusStopped", + "WorkloadStatusError", + "WorkloadStatusStarting", + "WorkloadStatusStopping", + "WorkloadStatusUnhealthy", + "WorkloadStatusRemoving", + "WorkloadStatusUnknown", + "WorkloadStatusUnauthenticated" + ] + }, "github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig": { "description": "RuntimeConfig allows overriding the default runtime configuration\nfor this specific workload (base images and packages)", "properties": { @@ -790,19 +935,7 @@ "type": "string" }, "status": { - "description": "Status is the current status of the workload.", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" }, "status_context": { "description": "StatusContext provides additional context about the workload's status.\nThe exact meaning is determined by the status and the underlying runtime.", @@ -817,9 +950,7 @@ "uniqueItems": false }, "transport_type": { - "description": "TransportType is the type of transport used for this workload.", - "enum": ["stdio", "sse", "streamable-http", "inspector"], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" }, "url": { "description": "URL is the URL of the workload exposed by the ToolHive proxy.", @@ -850,6 +981,20 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_ignore.Config": { + "description": "IgnoreConfig contains configuration for ignore processing", + "properties": { + "loadGlobal": { + "description": "Whether to load global ignore patterns", + "type": "boolean" + }, + "printOverlays": { + "description": "Whether to print resolved overlay paths for debugging", + "type": "boolean" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_registry.OAuthPublicConfig": { "description": "AuthConfig contains the non-secret OAuth configuration when auth is configured.\nNil when auth_status is \"none\".", "properties": { @@ -972,7 +1117,7 @@ "type": "string" }, "ignore_config": { - "$ref": "#/components/schemas/ignore.Config" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config" }, "image": { "description": "Image is the Docker image to run", @@ -993,7 +1138,7 @@ "middleware_configs": { "description": "MiddlewareConfigs contains the list of middleware to apply to the transport\nand the configuration for each middleware.", "items": { - "$ref": "#/components/schemas/types.MiddlewareConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig" }, "type": "array", "uniqueItems": false @@ -1003,7 +1148,7 @@ "type": "string" }, "oidc_config": { - "$ref": "#/components/schemas/auth.TokenValidatorConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig" }, "permission_profile_name_or_path": { "description": "PermissionProfileNameOrPath is the name or path of the permission profile", @@ -1014,9 +1159,7 @@ "type": "integer" }, "proxy_mode": { - "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", - "enum": ["sse", "streamable-http"], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode" }, "publish": { "description": "Publish lists ports to publish to the host in format \"hostPort:containerPort\"", @@ -1085,9 +1228,7 @@ "type": "object" }, "transport": { - "description": "Transport is the transport mode (stdio, sse, or streamable-http)", - "enum": ["stdio", "sse", "streamable-http", "inspector"], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" }, "trust_proxy_headers": { "description": "TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies", @@ -1394,6 +1535,49 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig": { + "properties": { + "parameters": { + "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", + "type": "object" + }, + "type": { + "description": "Type is a string representing the middleware type.", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_transport_types.ProxyMode": { + "description": "ProxyMode is the effective HTTP protocol the proxy uses.\nFor stdio transports, this is the configured mode (sse or streamable-http).\nFor direct transports (sse/streamable-http), this matches the transport type.\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", + "enum": ["sse", "streamable-http", "sse", "streamable-http"], + "type": "string", + "x-enum-varnames": ["ProxyModeSSE", "ProxyModeStreamableHTTP"] + }, + "github_com_stacklok_toolhive_pkg_transport_types.TransportType": { + "description": "Transport is the transport mode (stdio, sse, or streamable-http)", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector", + "stdio", + "sse", + "streamable-http", + "inspector", + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string", + "x-enum-varnames": [ + "TransportTypeStdio", + "TransportTypeSSE", + "TransportTypeStreamableHTTP", + "TransportTypeInspector" + ] + }, "github_com_stacklok_toolhive_pkg_webhook.Config": { "properties": { "failure_policy": { @@ -1449,20 +1633,6 @@ }, "type": "object" }, - "ignore.Config": { - "description": "IgnoreConfig contains configuration for ignore processing", - "properties": { - "loadGlobal": { - "description": "Whether to load global ignore patterns", - "type": "boolean" - }, - "printOverlays": { - "description": "Whether to print resolved overlay paths for debugging", - "type": "boolean" - } - }, - "type": "object" - }, "permissions.InboundNetworkPermissions": { "description": "Inbound defines inbound network permissions", "properties": { @@ -2518,19 +2688,7 @@ "description": "Response containing workload status information", "properties": { "status": { - "description": "Current status of the workload", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" } }, "type": "object" @@ -2944,120 +3102,6 @@ } }, "type": "object" - }, - "storage.ACLUserRunConfig": { - "description": "ACLUserConfig contains ACL user authentication configuration.", - "properties": { - "password_env_var": { - "description": "PasswordEnvVar is the environment variable containing the Redis password.", - "type": "string" - }, - "username_env_var": { - "description": "UsernameEnvVar is the environment variable containing the Redis username.", - "type": "string" - } - }, - "type": "object" - }, - "storage.RedisRunConfig": { - "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", - "properties": { - "acl_user_config": { - "$ref": "#/components/schemas/storage.ACLUserRunConfig" - }, - "auth_type": { - "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", - "type": "string" - }, - "dial_timeout": { - "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", - "type": "string" - }, - "key_prefix": { - "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", - "type": "string" - }, - "read_timeout": { - "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", - "type": "string" - }, - "sentinel_config": { - "$ref": "#/components/schemas/storage.SentinelRunConfig" - }, - "sentinel_tls": { - "$ref": "#/components/schemas/storage.RedisTLSRunConfig" - }, - "tls": { - "$ref": "#/components/schemas/storage.RedisTLSRunConfig" - }, - "write_timeout": { - "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", - "type": "string" - } - }, - "type": "object" - }, - "storage.RedisTLSRunConfig": { - "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", - "properties": { - "ca_cert_file": { - "description": "CACertFile is the path to a PEM-encoded CA certificate file.", - "type": "string" - }, - "insecure_skip_verify": { - "description": "InsecureSkipVerify skips certificate verification.", - "type": "boolean" - } - }, - "type": "object" - }, - "storage.RunConfig": { - "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", - "properties": { - "redis_config": { - "$ref": "#/components/schemas/storage.RedisRunConfig" - }, - "type": { - "description": "Type specifies the storage backend type. Defaults to \"memory\".", - "type": "string" - } - }, - "type": "object" - }, - "storage.SentinelRunConfig": { - "description": "SentinelConfig contains Sentinel-specific configuration.", - "properties": { - "db": { - "description": "DB is the Redis database number (default: 0).", - "type": "integer" - }, - "master_name": { - "description": "MasterName is the name of the Redis Sentinel master.", - "type": "string" - }, - "sentinel_addrs": { - "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - } - }, - "type": "object" - }, - "types.MiddlewareConfig": { - "properties": { - "parameters": { - "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", - "type": "object" - }, - "type": { - "description": "Type is a string representing the middleware type.", - "type": "string" - } - }, - "type": "object" } } }, diff --git a/utils/constants.ts b/utils/constants.ts index 8730b6dcb..33aae94f4 100644 --- a/utils/constants.ts +++ b/utils/constants.ts @@ -3,4 +3,4 @@ * This is managed by Renovate and updated automatically when new versions are released. * renovate: datasource=github-releases depName=stacklok/toolhive versioning=semver */ -export const TOOLHIVE_VERSION = process.env.THV_VERSION ?? 'v0.14.1' +export const TOOLHIVE_VERSION = process.env.THV_VERSION ?? 'v0.15.0'